Post by Vidar Hokstad Post by Daniel P. Berrange
Take a look at our FreeIPA project. It integrates Kerberos,
and Fedora Directory Server into one slick application with a very nice
web management interface & command line toolset.
FreeIPA looks interesting, but when I looked at the webpage, my first
reaction was buzzword / "consultant speak" overload, followed by the
thought "but what does it actually DO?" and I can't seem to find much
in terms of hard facts on the site unless I go diving into the source
There's a reasonable overview of the concepts / ideas here:
Post by Vidar Hokstad
I.e. what would it actually buy me for a small to medium sized
installation over, say, OpenLDAP + LdapDNS + phpldapadmin for example?
A nicer management interface is nice and all, but you have to have a
pretty large shop before things change frequently enough that it's a
big deal (and the same before multi-master replication becomes
important). From the web page I can't even tell if FreeIPA has feature
parity with the above combination in terms of what I could do with it.
I can see there are some things that FreeIPA supports that I _can't_
do with the above, but unfortunately none of those things matters to
me (if I had a larger install it would, though).
Primarily it is about providing a pre-integrated solution of the
various apps it bundles. In particular Kerberos, LDAP and FreeRadius.
This takes the pain out of setting up & configuring all the apps to
talk to each other. So as an admin you just need to yum install the
software (or equivalent) and then run the setup script which prompts
for the name of the realm, DNS domain name and admin password. Every
thing else is then configured based on this info. For admins not already
familiar with Kerberos & LDAP administration this is a very big win
making installation order of magnitude easier. I managed to get it
up & running about 30 minutes with zero prior knowledge of Kerberos
Post by Vidar Hokstad
More specifically, I noticed Debian-based distro's were noticeably
absent from the client installation docs, and the docs that are there
seems to say very little about what the client installation actually
covers (in terms of what applications will actually be able to use the
ipa client support). Any plans for Debian support on the client, or at
least some info on what needs to be in place?
The client tools are focused on making it easier to configure a machine
to use Kerberos/LDAP services for authentication, and fetching of service
principles for servers which need them. As such the client tools are
optional - you can still manually configure /etc/krb5.conf and similar
files if desired - its just standard kerberos & ldap after all.
The IPA development is primary done on Fedora since most of the developers
are working for Red Hat, but the code/tools themselves should work on any
Linux distro if the software pre-requisite versions are met. There may be
people packaging for Debian, but you'd have to ask on the IPA mailing list
about that, since I'm not up2date on that development.
Post by Vidar Hokstad
When setting up OpenLDAP here, the biggest problems we ran into was
not the server, by the way, but getting all the different apps we use
that rely on identity and authorization to actually use PAM or the
LDAP server instead of a myriad of other authentication methods. That
included building a number of new packages and a ton of updates, and
assorted random breakage (our mail server suddenly decided it needed
an existing home directory to deliver mail to the users after we made
it use LDAP to check for the existence of a user account instead of
it's own table, for example) that took a while to sort through. That's
something I really hope most/all distro's put more effort into
I'd really like to hear more about what the actual benefits of FreeIPA
are, though... At the moment just getting most apps here reconfigured
to use LDAP is/will be a huge improvement, but anything that makes
managing the whole thing less painful is very attractive..
Ease of deployment & initial configuration of the server, ease of client
configuration, and consistent ongoing management are all core goals and
benefits of the IPA project. It is a young project, only at version 1.0
though so it obviously hasn't solved all the problems just yet :-) It has
been moving forward very quickly in the 6 months I've been using the
|: http://berrange.com/ -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://freshmeat.net/~danielpb/ -o- http://gtk-vnc.sourceforge.net :|